<?php
require_once("../inc.public.php");

if($post_s){
	//verify genuine request
	if(!isset($post_s['key'])){
		$ew_status = 200;
	}else{
		$this_sig = explode(':', $post_s['key']);
		$incoming_sig = $this_sig[0];
		$salt = $this_sig[1];
		$calculated_sig = md5($post_s['amount'] . $post_s['currency_code'] . TOORIYA_SECRET_KEY . $salt);
		if($incoming_sig != $calculated_sig){
			$ew_status = 201;
		}
	}
	
	if(!$ew_status){//verificatioin pass
		if(!$post_s['ew_username'] || !$post_s['ew_password']){
			$ew_status = '2';//invalid username / password
		}else{
			$user = get_user_detail_by_username($post_s['ew_username']);
			if($user['status'] == 'terminated'){
				$ew_status = '2';
			}else{
				$this_pass = explode(':', $user['enc_password']);
				$incoming_pass = md5($post_s['ew_password'] . $this_pass[1]);
				if($incoming_pass != $this_pass[0]){
					$ew_status = '2';
				}elseif($user['mwallet'] < doubleval($post_s['amount'])){
					$ew_status = '3';
				}
			}
		}
	}
	
	if(!$ew_status){//no error occur, deduct the amount
		if(doubleval($post_s['amount']) > 0){
			$amount = doubleval($post_s['amount']);
			if(!mysql_query($sql="update $db->users set mwallet=mwallet-$amount where id='$user[id]' limit 1")){
				$ew_status = '4';
				$critical_error = "Error deducting member's $vars[mwallet_title] account for $amount for order placed by member via Tooriya.\n\nSQL: $sql\n\nError: ".mysql_error()."\n";
			}else{
				if(!mysql_query($sql="insert into $db->member_mwallet_record (uid, type, amount, descr, cdate) values ('$user[id]', 'd', '$amount', '".mysql_real_escape_string("Order placed via Tooriya deducted $vars[currency]".number_format($amount, 2))."', '".ndate()."')")){
					$critical_error = "Error recording the member's $vars[mwallet_title] history while member ID #$user[id] placed an order via Tooriya, this member's $vars[mwallet_title] has already been deducted with $vars[currency]".number_format($amount, 2)." but the transaction history could not be recorded. Please manually execute the SQL below to properly record the transaction:\n\nSQL: $sql\n\nError: ".mysql_error()."\n";
				}else{
					$new_eid = mysql_insert_id();
					$last_bal = @mysql_result(mysql_query("select bal from $db->member_mwallet_record where uid='$user[id]' and id!=$new_eid order by id desc limit 1"), 0);
					if(!$last_bal){
						$last_bal = 0;
					}
					$last_bal -= $amount;
					@mysql_query("update $db->member_mwallet_record set bal='$last_bal' where id='$new_eid' limit 1");
			    }
			}
			if(!$ew_status){
				$ew_status = '1';
			}
		}else{
			$ew_status = '1';
		}
	}
	
	$salt = md5(ntime());
	$calculated_key = md5($ew_status . TOORIYA_SECRET_KEY . $salt). ':' . $salt;
	$get = "ew_status=".urlencode($ew_status)."&key=".urlencode($calculated_key);
	if(strpos($post_s['return'], '?') !== false){
		$get = '&'.$get;
	}else{
		$get = '?'.$get;
	}
	
	if($critical_error){
		$a_sub = "Tooriya Order - Fail to deduct member $vars[mwallet_title] account";
		$a_msg = "
		<p>Dear admin,</p>
		<p>The system had encountered some error while member ID #$user[id] placed an order via Tooriya and the error was:<br /><br />".nl2br($critical_error)."</p>";
		email_admin($a_sub, $a_msg, 'e');
	}
}

$url = $post_s['return'].$get;
header("location: $url");
exit;
?>